Minor security problem at Veoh.com

Veoh was established years ago as a video sharing service. Perhaps as many as ten years ago, I set up two accounts there. One for my self, to which I uploaded just two videos, plus a second one to test out for a daughter who was about to do a study abroad – she could use that account to post videos. We never used this one, though, and the account languished.

I did not remember the password to that second account – but I had saved it in the browser’s automated login feature! Thus, I could log in to the account.

I thought perhaps I’d change the password to something new. Fortunately, their security prevented me from changing the password by requiring me to enter the current password before I could proceed. But I did not know the current password!

Then I noticed the email address set up for the account was an old one that my daughter used years ago. The email address probably does not exist any more. However, I could change the email address! And I did not have to enter the current password to do so!

I then logged out, went to the login screen and said I had forgotten the password. Veoh sent me a password reset link and I quickly reset the password.

This is another example – albeit a minor one – of a potential security vulnerability. I could change the email address and then use that to set a new password – but I could not directly change the password without providing the current password! Obviously, it would be safer for them to have a secondary authentication step on changing the email address.

Online service seem to be full of these poor security practice examples.